<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>PF: 擦洗(包的标准化)</title>
<link rev="made" href="mailto:www@openbsd.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="resource-type" content="document">
<meta name="description"   content="the OpenBSD FAQ page">
<meta name="keywords"      content="openbsd,faq,pf">
<meta name="distribution"  content="global">
</head>

<!--
Copyright (c) 2003, Nick Holland <nick@openbsd.org>
Copyright (c) 2003-2005, Joel Knight <enabled@myrealbox.com>

Permission to use, copy, modify, and distribute this documentation for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.

THE DOCUMENTATION IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS DOCUMENTATION INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS DOCUMENTATION
-->

<body bgcolor="#ffffff" text="#000000">
<!-- Passes validator.w3.org, please keep it this way;
please, use a max of 72 chars per line -->

<a href="../../../zh/index.html">
<img alt="[OpenBSD]" height=30 width=141
    src="../../../images/smalltitle.gif" border="0">
</a>
<p>
[<a href="../options.html">运行时选项</a>]
[<a href="index.html">索引</a>]
[<a href="../anchors.html">锚</a>]

<p>
<h1><font color="#e00000">PF: 擦洗(包的标准化)</font></h1>
<hr>

<h3>Table of Contents</h3>
<ul>
<li><a href="#intro">Introduction</a>
<li><a href="#options">Options</a>
</ul>

<hr>

<a name="intro"></a>
<h2>Introduction</h2>
"Scrubbing" is the normalization of packets so there are no ambiguities
in interpretation by the ultimate destination of the packet.  The scrub
directive also reassembles fragmented packets, protecting some operating
systems from some forms of attack, and drops TCP packets that have
invalid <a href="filter.html#tcpflags">flag</a> combinations.  A simple
form of the scrub directive:
<blockquote>
<tt>
scrub in all
</tt>
</blockquote>

<p>
This will scrub all incoming packets on all interfaces.

<p>
One reason not to scrub on an interface is if one is passing NFS through
PF.  Some non-OpenBSD platforms send (and expect) strange packets --
fragmented packets with the "do not fragment" bit set, which are
(properly) rejected by <tt>scrub</tt>.  This can be resolved by use of the
<tt>no-df</tt> option.  Another reason is some multi-player games have
connection problems passing through PF with <tt>scrub</tt> enabled.
Other than these somewhat unusual cases, scrubbing all packets is a
<i>highly recommended</i> practice.

<p>
The <tt>scrub</tt> directive syntax is very similar to the
<a href="filter.html">filtering</a> syntax which makes it easy to
selectively scrub certain packets and not others.
The <tt>no</tt> keyword can be used in front of <tt>scrub</tt> to
specify packets that will not be scrubbed.
Just as with <a href="nat.html#except"><tt>nat</tt> rules</a>, the first
matching rule wins.

<p>
More on the principle and concepts of scrubbing can be found in the
<i><a href="http://www.icir.org/vern/papers/norm-usenix-sec-01-html/index.html"
>Network Intrusion Detection: Evasion, Traffic Normalization, and
End-to-End Protocol Semantics</a></i> paper.

<a name="options"></a>
<h2>Options</h2>
<tt>Scrub</tt> has the following options:
<dl>
<dt><tt>no-df</tt>
<dd>Clears the <i>don't fragment</i> bit from the IP
packet header. Some operating systems are known to generate fragmented
packets with the <i>don't fragment</i> bit set. This is particularly
true with NFS. <tt>Scrub</tt> will drop such packets unless the
<tt>no-df</tt> option is specified. Because some operating systems
generate <i>don't fragment</i> packets with a zero IP identification
header field, using <tt>no-df</tt> in conjunction with <tt>random-id</tt>
is recommended.

<dt><tt>random-id</tt>
<dd>Replaces the IP identification field of
packets with random values to compensate for operating systems
that use predictable values. This option only applies to
packets that are not fragmented after the optional packet reassembly.

<dt><tt>min-ttl <i>num</i></tt>
<dd>Enforces a minimum Time To Live (TTL)
in IP packet headers.

<dt><tt>max-mss <i>num</i></tt>
<dd>Enforces a maximum Maximum Segment
Size (MSS) in TCP packet headers.

<dt><tt>fragment reassemble</tt>
<dd>Buffers incoming packet fragments and
reassembles them into a complete packet before passing them to the
filter engine. The advantage is that filter rules only have to deal
with complete packets and can ignore fragments. The drawback is the
increased memory needed to buffer packet fragments. This is the default
behavior when no <tt>fragment</tt> option is specified. This is also the
only <tt>fragment</tt> option that works with NAT.

<dt><tt>fragment crop</tt>
<dd>Causes duplicate fragments to be dropped
and any overlaps to be cropped. Unlike <tt>fragment reassemble</tt>,
fragments are not buffered but are passed on as soon as they arrive.

<dt><tt>fragment drop-ovl</tt>
<dd>Similar to <tt>fragment crop</tt>
except that all duplicate or overlapping fragments will be dropped as
well as any further corresponding fragments.

<dt><tt>reassemble tcp</tt>
<dd>Statefully normalizes TCP connections.
When using <tt>scrub reassemble tcp</tt>, a direction (in/out) may not
be specified.
The following normalizations are performed:
        <ul>
        <li>Neither side of the connection is allowed to reduce their
        IP TTL. This is done to protect against an attacker sending a packet
        such that it reaches the firewall, affects the held state
        information for the connection, and expires before reaching the
        destination host. The TTL of all packets is raised to the highest
        value seen for the connection.
        <li>Modulate
        <a href="http://www.geektools.com/rfc/rfc1323.txt">RFC1323</a>
        timestamps in TCP packet headers with a random number. This can
        prevent an observer from deducing the uptime of the host or from
        guessing how many hosts are behind a NAT gateway.
        </ul>
</dl>

<p>
Examples:
<blockquote>
<tt>
scrub in on fxp0 all fragment reassemble min-ttl 15 max-mss 1400<br>
scrub in on fxp0 all no-df<br>
scrub &nbsp;&nbsp; on fxp0 all reassemble tcp
</tt>
</blockquote>

<p>
[<a href="../options.html">运行时选项</a>]
[<a href="index.html">索引</a>]
[<a href="../anchors.html">锚</a>]

<p>
<hr>
<a href="index.html"><img height="24" width="24" src="../../../images/back.gif" border="0" alt="[back]"></a>
<a href="mailto:www@openbsd.org">www@openbsd.org</a>
<br>
<small>$OpenBSD: scrub.html,v 1.15 2008/07/30 10:35:44 nick Exp $</small>

</body>
</html>
<!--
Originally [OpenBSD: scrub.html,v 1.15]<br>
$Translation: scrub.html,v 1.2 2008/08/05 04:10:03 dongsheng Exp $<br>
-->
